Bitter Honey for Hackers
Feb 14th, 2008 by admin
It’s not necessary to know what a proxy server is to use it, but if you are really interested in a non-technical definition they are basically a gateway between a local network and larger scale networks like the internet. It works by maintaining a cache of recently accessed webpages. When a client connects to a proxy and asks for a webpage somewhere on the internet, the proxy grabs the page by itself and sends the data to the client. The web server logs usually contain only the IP address of the specific proxy that made the requests. A proxy server can provide a range of features such as adding another layer of security to the network, cutting down access to non-work related sites in an organization and allowing you to roam the web anonymously. The last one is a spammer favorite as it hides their IP addresses and quite unsurprisingly, becomes a nightmare for security agencies.
For those with a lower technological understanding, an IP address is a unique tagging code that is assigned to all network users. When you visit a site on the web, the server records your IP address on a log. An IP address basically leaves behind a trail of your internet activities, if you were able to hide your public IP, your internet activity would become almost untraceable. When someone visits a site through a proxy server, the site will see only the IP of the proxy server and not your home IP address. However, a public proxy comes with its own share of perils which you may have to put up with. Most of them are plagued with bandwidth limits, reliability problems or even more conveniently they just disappear from the internet without a trace. Another thing is that you might find yourself being blocked from certain web sites as numerous forums tend to block IP address from proxies which have a reputation of spamming in the past. Spammers work by either directly connecting to a remote mail server or they can bounce around through open proxies. An open proxy allows anyone to remain anonymous while crawling through the net, these provide a safe haven for spammers as it allows them to send their spam while remaining anonymous.
The blatant abuse of proxies was instigated with the release of a program called Wingate. Before windows supported internet functionality, people wanted to have a home network that allowed them to route their connection through a single dialup. Wingate was the program that allowed them to do this; unfortunately it came with an insecure default configuration. The software allowed them to connect to the Wingate server and back out to another machine on another port. It is pretty much the equivalent of sending a personalized invitation to all the hackers around the world to come and have a blast screwing up other networks. The company eventually plugged the hole but the original version was widely circulated and infrequently updated. The damage had already been done.
Everything that you do on a proxy server can be traced and logged with ease. Security agencies often deploy an open proxy server termed as a honey pot to attract hackers and track their movements. Ironically a hacker can also deploy a honey pot on his victim’s computer and wait for a scanner to locate it. Many hackers and techies have massive egos and try their best to create an aura of mystery about them. They make it seem that hacking is a complex art that was meant to be understood only by a few outrageously smart people. While hacking on the upper levels of technology definitely requires skill and lots of patience, there are loads of basic tricks that you can pull off without too much mental exertion. Thankfully, setting up a honeypot falls into the latter category, and can be as simple as getting an old computer, installing windows, connect it to the internet and throwing in the software. However, the safest approach is to connect to a honeypot directly through an independent connection, have it secluded from the other networks in your organization and allow limited outward connections.
Another option is to go for a “sacrifice box” which is a fully functional computer that is running a standard OS such as Windows or Linux. The machine is left intentionally vulnerable so that attackers gain full administrative access. This method carries a significant amount of risk with it but also provides numerous advantages over a conventional honeypot. They have minimal hardware requirements and are extremely easy to implement. Moreover, the fact that they use standard OS and softwares makes them hard to distinguish from the non-honeypot machines. Intruders have been known to have spent hours within a sacrifice box without realizing that they have been caught. The sacrifice box is not limited to pre-established responses; the collected data can reveal things about the type and nature of the attacks in greater detail. It’s imperative that you decide on the best configuration for the sacrifice box, this includes which servers to leave active and which service packs and patches to install. This usually depends on the administrator’s objectives. If the intention is to draw the attacker away from the other hosts in a network, then it should be made as attractive and vulnerable as possible without arousing suspicion.
On the other hand if the goal is to examine probable vulnerabilities, then you will have to make the sacrifice box resemble the type of machines it is protecting as closely as possible. Always keep in mind that leaving open a known security hole may draw in lots of familiar intruders, by closing them you can filter out the more crafty ones, they are the ones who will devise new and unexpected methods of attack. These are the intruders that are most valuable to catch. By carefully choosing which holes are to be left open and which are to be shut, you can focus on previous attacks with precision. If everything goes to plan, the attackers will gain control over the honeypot machine; so it must be isolated from the rest of the network. In case you haven’t properly secluded the honeypot, prepare to sit back and enjoy the show as the attacker uses it as a launching pad to wreck havoc on other hosts that are connected. Also all traffic to the honeypot must be routed through its own dedicated standalone firewall. Never, I repeat never rely on “personal firewall” software to serve “double duty”. In the event that the firewall is compromised, absolute chaos will follow on all connected machines. The idea here is to allow almost all inbound traffic while severely clamping down on outbound traffic, which is the opposite function of most firewalls. The catch is that it will immediately tip a skilled intruder to the nature of the trap. Don’t be too selective with outbound traffic, at the bare minimum an intruder will be expecting outbound ICMP and DNS traffic, Telenet traffic is no doubt a huge risk, but some FTP traffic usually serves to arouse the attacker’s interest.